Faidon Liambotis has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/373281 )
Change subject: Delete stray patch file ...................................................................... Delete stray patch file Introduced accidentally in commit 73964dd. Change-Id: Ia9e4d91805026c4ddb603ef99cceb806a75e18e1 --- D 0001-openstack-keystone-as-module-profile-role-for-deploy.patch 1 file changed, 0 insertions(+), 1,915 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/81/373281/1 diff --git a/0001-openstack-keystone-as-module-profile-role-for-deploy.patch b/0001-openstack-keystone-as-module-profile-role-for-deploy.patch deleted file mode 100644 index af2c13f..0000000 --- a/0001-openstack-keystone-as-module-profile-role-for-deploy.patch +++ /dev/null @@ -1,1915 +0,0 @@ -From a924377d919af4f219f20d79e37cd32d9d4780b4 Mon Sep 17 00:00:00 2001 -From: root <[email protected]> -Date: Fri, 4 Aug 2017 22:01:00 +0000 -Subject: [PATCH] openstack: keystone as module/profile/role for deployments - -Bug: T171494 ---- - hieradata/codfw/profile/openstack/labtest.yaml | 4 +- - .../codfw/profile/openstack/labtest/keystone.yaml | 2 + - hieradata/codfw/profile/openstack/labtestn.yaml | 2 + - .../codfw/profile/openstack/labtestn/keystone.yaml | 2 + - hieradata/common/profile/openstack/base.yaml | 4 + - .../common/profile/openstack/base/keystone.yaml | 5 + - hieradata/eqiad/profile/openstack/main.yaml | 2 + - .../eqiad/profile/openstack/main/keystone.yaml | 2 + - .../files/keystone-admin-uwsgi.logrotate | 8 + - .../files/keystone-public-uwsgi.logrotate | 8 + - .../files/liberty/keystone/keystone-paste.ini | 103 +++++ - .../openstack2/files/liberty/keystone/logging.conf | 39 ++ - .../openstack2/files/liberty/keystone/policy.json | 183 +++++++++ - .../wmfkeystoneauth.egg-info/entry_points.txt | 5 + - .../liberty/keystone/wmfkeystoneauth/__init__.py | 0 - .../keystone/wmfkeystoneauth/password_whitelist.py | 72 ++++ - .../keystone/wmfkeystoneauth/wikitechclient.py | 61 +++ - .../liberty/keystone/wmfkeystoneauth/wmtotp.py | 118 ++++++ - modules/openstack2/manifests/keystone/cleanup.pp | 52 +++ - modules/openstack2/manifests/keystone/hooks.pp | 25 ++ - modules/openstack2/manifests/keystone/monitor.pp | 47 +++ - modules/openstack2/manifests/keystone/service.pp | 218 +++++++++++ - .../templates/liberty/keystone/keystone.conf.erb | 413 +++++++++++++++++++++ - .../manifests/openstack/base/keystone/hooks.pp | 8 + - .../manifests/openstack/base/keystone/service.pp | 56 +++ - .../openstack/labtest/keystone/service.pp | 50 +++ - .../manifests/openstack/labtest/rabbitmq.pp | 2 +- - .../openstack/labtestn/keystone/service.pp | 50 +++ - .../manifests/openstack/labtestn/rabbitmq.pp | 2 +- - .../manifests/openstack/main/keystone/service.pp | 55 +++ - .../profile/manifests/openstack/main/rabbitmq.pp | 2 +- - .../manifests/wmcs/openstack/labtest/control.pp | 3 +- - .../manifests/wmcs/openstack/labtestn/control.pp | 3 +- - .../role/manifests/wmcs/openstack/main/control.pp | 3 +- - 34 files changed, 1599 insertions(+), 10 deletions(-) - create mode 100644 hieradata/codfw/profile/openstack/labtest/keystone.yaml - create mode 100644 hieradata/codfw/profile/openstack/labtestn/keystone.yaml - create mode 100644 hieradata/common/profile/openstack/base/keystone.yaml - create mode 100644 hieradata/eqiad/profile/openstack/main/keystone.yaml - create mode 100644 modules/openstack2/files/keystone-admin-uwsgi.logrotate - create mode 100644 modules/openstack2/files/keystone-public-uwsgi.logrotate - create mode 100644 modules/openstack2/files/liberty/keystone/keystone-paste.ini - create mode 100644 modules/openstack2/files/liberty/keystone/logging.conf - create mode 100644 modules/openstack2/files/liberty/keystone/policy.json - create mode 100644 modules/openstack2/files/liberty/keystone/wmfkeystoneauth.egg-info/entry_points.txt - create mode 100644 modules/openstack2/files/liberty/keystone/wmfkeystoneauth/__init__.py - create mode 100644 modules/openstack2/files/liberty/keystone/wmfkeystoneauth/password_whitelist.py - create mode 100644 modules/openstack2/files/liberty/keystone/wmfkeystoneauth/wikitechclient.py - create mode 100644 modules/openstack2/files/liberty/keystone/wmfkeystoneauth/wmtotp.py - create mode 100644 modules/openstack2/manifests/keystone/cleanup.pp - create mode 100644 modules/openstack2/manifests/keystone/hooks.pp - create mode 100644 modules/openstack2/manifests/keystone/monitor.pp - create mode 100644 modules/openstack2/manifests/keystone/service.pp - create mode 100644 modules/openstack2/templates/liberty/keystone/keystone.conf.erb - create mode 100644 modules/profile/manifests/openstack/base/keystone/hooks.pp - create mode 100644 modules/profile/manifests/openstack/base/keystone/service.pp - create mode 100644 modules/profile/manifests/openstack/labtest/keystone/service.pp - create mode 100644 modules/profile/manifests/openstack/labtestn/keystone/service.pp - create mode 100644 modules/profile/manifests/openstack/main/keystone/service.pp - -diff --git a/hieradata/codfw/profile/openstack/labtest.yaml b/hieradata/codfw/profile/openstack/labtest.yaml -index 6213ee8..6be5986 100644 ---- a/hieradata/codfw/profile/openstack/labtest.yaml -+++ b/hieradata/codfw/profile/openstack/labtest.yaml -@@ -1,4 +1,6 @@ - profile::openstack::labtest::version: 'liberty' - profile::openstack::labtest::nova_controller: 'labtestcontrol2001.wikimedia.org' - profile::openstack::labtest::rabbit_monitor_user: 'monitoring' --profile::openstack::labtest::rabbit_file_handles: 1024 -+profile::openstack::labtest::rabbit_file_handles: 8192 -+profile::openstack::labtest::osm_host: 'labtestwikitech.wikimedia.org' -+profile::openstack::labtest::ldap_hosts: ['labtestservices2001.wikimedia.org'] -diff --git a/hieradata/codfw/profile/openstack/labtest/keystone.yaml b/hieradata/codfw/profile/openstack/labtest/keystone.yaml -new file mode 100644 -index 0000000..29270bc ---- /dev/null -+++ b/hieradata/codfw/profile/openstack/labtest/keystone.yaml -@@ -0,0 +1,2 @@ -+profile::openstack::labtest::keystone::db_host: 'labtestcontrol2001.wikimedia.org' -+profile::openstack::labtest::keystone::token_driver: 'normal' -diff --git a/hieradata/codfw/profile/openstack/labtestn.yaml b/hieradata/codfw/profile/openstack/labtestn.yaml -index be7a3d2..4fdb9ac 100644 ---- a/hieradata/codfw/profile/openstack/labtestn.yaml -+++ b/hieradata/codfw/profile/openstack/labtestn.yaml -@@ -2,3 +2,5 @@ profile::openstack::labtestn::version: 'liberty' - profile::openstack::labtestn::nova_controller: 'labtestcontrol2003.wikimedia.org' - profile::openstack::labtestn::rabbit_monitor_user: 'monitoring' - profile::openstack::labtestn::rabbit_file_handles: 8192 -+profile::openstack::labtestn::osm_host: 'labtestnwikitech.wikimedia.org' -+profile::openstack::labtestn::ldap_hosts: ['labtestservices2001.wikimedia.org'] -diff --git a/hieradata/codfw/profile/openstack/labtestn/keystone.yaml b/hieradata/codfw/profile/openstack/labtestn/keystone.yaml -new file mode 100644 -index 0000000..0ccb701 ---- /dev/null -+++ b/hieradata/codfw/profile/openstack/labtestn/keystone.yaml -@@ -0,0 +1,2 @@ -+profile::openstack::labtestn::keystone::db_host: 'labtestcontrol2003.wikimedia.org' -+profile::openstack::labtestn::keystone::token_driver: 'normal' -diff --git a/hieradata/common/profile/openstack/base.yaml b/hieradata/common/profile/openstack/base.yaml -index f4a5a71..ccf32d5 100644 ---- a/hieradata/common/profile/openstack/base.yaml -+++ b/hieradata/common/profile/openstack/base.yaml -@@ -1,2 +1,6 @@ - profile::openstack::base::region: "%{::site}" - profile::openstack::base::observer_user: 'novaobserver' -+profile::openstack::base::ldap_base_dn: 'dc=wikimedia,dc=org' -+profile::openstack::base::ldap_user_id_attribute: 'uid' -+profile::openstack::base::ldap_user_name_attribute: 'cn' -+profile::openstack::base::ldap_user_dn: 'uid=novaadmin,ou=people,dc=wikimedia,dc=org' -diff --git a/hieradata/common/profile/openstack/base/keystone.yaml b/hieradata/common/profile/openstack/base/keystone.yaml -new file mode 100644 -index 0000000..3041820 ---- /dev/null -+++ b/hieradata/common/profile/openstack/base/keystone.yaml -@@ -0,0 +1,5 @@ -+profile::openstack::base::keystone::db_name: 'keystone' -+profile::openstack::base::keystone::db_user: 'keystone' -+profile::openstack::base::keystone::auth_protocol: 'http' -+profile::openstack::base::keystone::auth_port: '35357' -+profile::openstack::base::keystone::wiki_status_page_prefix: 'Nova_Resource:' -diff --git a/hieradata/eqiad/profile/openstack/main.yaml b/hieradata/eqiad/profile/openstack/main.yaml -index cd85b35..3aa7699 100644 ---- a/hieradata/eqiad/profile/openstack/main.yaml -+++ b/hieradata/eqiad/profile/openstack/main.yaml -@@ -1,4 +1,6 @@ - profile::openstack::main::version: 'liberty' - profile::openstack::main::nova_controller: 'labcontrol1001.wikimedia.org' -+profile::openstack::main::osm_host: 'wikitech.wikimedia.org' - profile::openstack::main::rabbit_monitor_user: 'monitoring' - profile::openstack::main::rabbit_file_handles: 8192 -+profile::openstack::main::ldap_hosts: ['ldap://ldap-labs.eqiad.wikimedia.org', 'ldap://ldap-labs.codfw.wikimedia.org'] -diff --git a/hieradata/eqiad/profile/openstack/main/keystone.yaml b/hieradata/eqiad/profile/openstack/main/keystone.yaml -new file mode 100644 -index 0000000..7a3821a ---- /dev/null -+++ b/hieradata/eqiad/profile/openstack/main/keystone.yaml -@@ -0,0 +1,2 @@ -+profile::openstack::main::keystone::db_host: 'm5-master.eqiad.wmnet' -+profile::openstack::main::keystone::token_driver: 'normal' -diff --git a/modules/openstack2/files/keystone-admin-uwsgi.logrotate b/modules/openstack2/files/keystone-admin-uwsgi.logrotate -new file mode 100644 -index 0000000..ad9a1b4 ---- /dev/null -+++ b/modules/openstack2/files/keystone-admin-uwsgi.logrotate -@@ -0,0 +1,8 @@ -+/var/log/designate/keystone-admin-uwsgi.log { -+ daily -+ missingok -+ compress -+ delaycompress -+ notifempty -+ copytruncate -+} -diff --git a/modules/openstack2/files/keystone-public-uwsgi.logrotate b/modules/openstack2/files/keystone-public-uwsgi.logrotate -new file mode 100644 -index 0000000..7766a2b ---- /dev/null -+++ b/modules/openstack2/files/keystone-public-uwsgi.logrotate -@@ -0,0 +1,8 @@ -+/var/log/designate/keystone-public-uwsgi.log { -+ daily -+ missingok -+ compress -+ delaycompress -+ notifempty -+ copytruncate -+} -diff --git a/modules/openstack2/files/liberty/keystone/keystone-paste.ini b/modules/openstack2/files/liberty/keystone/keystone-paste.ini -new file mode 100644 -index 0000000..0792f42 ---- /dev/null -+++ b/modules/openstack2/files/liberty/keystone/keystone-paste.ini -@@ -0,0 +1,103 @@ -+# Keystone PasteDeploy configuration file. -+ -+[filter:debug] -+use = egg:keystone#debug -+ -+[filter:request_id] -+use = egg:keystone#request_id -+ -+[filter:build_auth_context] -+use = egg:keystone#build_auth_context -+ -+[filter:token_auth] -+use = egg:keystone#token_auth -+ -+[filter:admin_token_auth] -+use = egg:keystone#admin_token_auth -+ -+[filter:json_body] -+use = egg:keystone#json_body -+ -+[filter:user_crud_extension] -+use = egg:keystone#user_crud_extension -+ -+[filter:crud_extension] -+use = egg:keystone#crud_extension -+ -+[filter:ec2_extension] -+use = egg:keystone#ec2_extension -+ -+[filter:ec2_extension_v3] -+use = egg:keystone#ec2_extension_v3 -+ -+[filter:federation_extension] -+use = egg:keystone#federation_extension -+ -+[filter:oauth1_extension] -+use = egg:keystone#oauth1_extension -+ -+[filter:s3_extension] -+use = egg:keystone#s3_extension -+ -+[filter:endpoint_filter_extension] -+use = egg:keystone#endpoint_filter_extension -+ -+[filter:simple_cert_extension] -+use = egg:keystone#simple_cert_extension -+ -+[filter:revoke_extension] -+use = egg:keystone#revoke_extension -+ -+[filter:url_normalize] -+use = egg:keystone#url_normalize -+ -+[filter:sizelimit] -+use = egg:keystone#sizelimit -+ -+[app:public_service] -+use = egg:keystone#public_service -+ -+[app:service_v3] -+use = egg:keystone#service_v3 -+ -+[app:admin_service] -+use = egg:keystone#admin_service -+ -+[pipeline:public_api] -+# The last item in this pipeline must be public_service or an equivalent -+# application. It cannot be a filter. -+pipeline = sizelimit url_normalize request_id build_auth_context token_auth json_body ec2_extension user_crud_extension public_service -+ -+[pipeline:admin_api] -+# The last item in this pipeline must be admin_service or an equivalent -+# application. It cannot be a filter. -+pipeline = sizelimit url_normalize request_id build_auth_context token_auth json_body ec2_extension s3_extension crud_extension admin_service -+ -+[pipeline:api_v3] -+# The last item in this pipeline must be service_v3 or an equivalent -+# application. It cannot be a filter. -+pipeline = sizelimit url_normalize request_id build_auth_context token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension revoke_extension federation_extension oauth1_extension endpoint_filter_extension service_v3 -+ -+[app:public_version_service] -+use = egg:keystone#public_version_service -+ -+[app:admin_version_service] -+use = egg:keystone#admin_version_service -+ -+[pipeline:public_version_api] -+pipeline = sizelimit url_normalize public_version_service -+ -+[pipeline:admin_version_api] -+pipeline = sizelimit url_normalize admin_version_service -+ -+[composite:main] -+use = egg:Paste#urlmap -+/v2.0 = public_api -+/v3 = api_v3 -+/ = public_version_api -+ -+[composite:admin] -+use = egg:Paste#urlmap -+/v2.0 = admin_api -+/v3 = api_v3 -+/ = admin_version_api -diff --git a/modules/openstack2/files/liberty/keystone/logging.conf b/modules/openstack2/files/liberty/keystone/logging.conf -new file mode 100644 -index 0000000..59df5f0 ---- /dev/null -+++ b/modules/openstack2/files/liberty/keystone/logging.conf -@@ -0,0 +1,39 @@ -+[loggers] -+keys=root -+ -+[formatters] -+keys=normal,normal_with_name,debug -+ -+[handlers] -+keys=production,file,devel -+ -+[logger_root] -+level=WARNING -+handlers=file -+ -+[handler_production] -+class=handlers.SysLogHandler -+level=WARNING -+formatter=normal_with_name -+args=(('localhost', handlers.SYSLOG_UDP_PORT), handlers.SysLogHandler.LOG_USER) -+ -+[handler_file] -+class=FileHandler -+level=WARNING -+formatter=normal_with_name -+args=('/var/log/keystone/keystone.log', 'a') -+ -+[handler_devel] -+class=StreamHandler -+level=WARNING -+formatter=debug -+args=(sys.stdout,) -+ -+[formatter_normal] -+format=%(asctime)s %(levelname)s %(message)s -+ -+[formatter_normal_with_name] -+format=(%(name)s): %(asctime)s %(levelname)s %(message)s -+ -+[formatter_debug] -+format=(%(name)s): %(asctime)s %(levelname)s %(module)s %(funcName)s %(message)s -diff --git a/modules/openstack2/files/liberty/keystone/policy.json b/modules/openstack2/files/liberty/keystone/policy.json -new file mode 100644 -index 0000000..2ed289c ---- /dev/null -+++ b/modules/openstack2/files/liberty/keystone/policy.json -@@ -0,0 +1,183 @@ -+{ -+ "admin_required": "role:admin or is_admin:1", -+ "service_role": "role:service", -+ "service_or_admin": "rule:admin_required or rule:service_role", -+ "owner" : "user_id:%(user_id)s", -+ "admin_or_owner": "rule:admin_required or rule:owner", -+ "token_subject": "user_id:%(target.token.user_id)s", -+ "admin_or_token_subject": "rule:admin_required or rule:token_subject", -+ -+ "default": "rule:admin_required", -+ -+ "identity:get_region": "", -+ "identity:list_regions": "rule:admin_required", -+ "identity:create_region": "rule:admin_required", -+ "identity:update_region": "rule:admin_required", -+ "identity:delete_region": "rule:admin_required", -+ -+ "identity:get_service": "", -+ "identity:list_services": "", -+ "identity:create_service": "rule:admin_required", -+ "identity:update_service": "rule:admin_required", -+ "identity:delete_service": "rule:admin_required", -+ -+ "identity:get_endpoint": "", -+ "identity:list_endpoints": "", -+ "identity:create_endpoint": "rule:admin_required", -+ "identity:update_endpoint": "rule:admin_required", -+ "identity:delete_endpoint": "rule:admin_required", -+ -+ "identity:get_domain": "rule:admin_required", -+ "identity:list_domains": "rule:admin_required", -+ "identity:create_domain": "rule:admin_required", -+ "identity:update_domain": "rule:admin_required", -+ "identity:delete_domain": "rule:admin_required", -+ -+ "identity:get_project": "rule:admin_required", -+ "identity:list_projects": "", -+ "identity:list_user_projects": "", -+ "identity:create_project": "rule:admin_required", -+ "identity:update_project": "rule:admin_required", -+ "identity:delete_project": "rule:admin_required", -+ -+ "identity:get_user": "", -+ "identity:list_users": "", -+ "identity:create_user": "rule:admin_required", -+ "identity:update_user": "rule:admin_required", -+ "identity:delete_user": "rule:admin_required", -+ "identity:change_password": "rule:admin_or_owner", -+ -+ "identity:get_group": "rule:admin_required", -+ "identity:list_groups": "rule:admin_required", -+ "identity:list_groups_for_user": "rule:admin_or_owner", -+ "identity:create_group": "rule:admin_required", -+ "identity:update_group": "rule:admin_required", -+ "identity:delete_group": "rule:admin_required", -+ "identity:list_users_in_group": "rule:admin_required", -+ "identity:remove_user_from_group": "rule:admin_required", -+ "identity:check_user_in_group": "rule:admin_required", -+ "identity:add_user_to_group": "rule:admin_required", -+ -+ "identity:get_credential": "rule:admin_required", -+ "identity:list_credentials": "rule:admin_required", -+ "identity:create_credential": "rule:admin_required", -+ "identity:update_credential": "rule:admin_required", -+ "identity:delete_credential": "rule:admin_required", -+ -+ "identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)", -+ "identity:ec2_list_credentials": "rule:admin_or_owner", -+ "identity:ec2_create_credential": "rule:admin_or_owner", -+ "identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)", -+ -+ "identity:get_role": "", -+ "identity:list_roles": "", -+ "identity:create_role": "rule:admin_required", -+ "identity:update_role": "rule:admin_required", -+ "identity:delete_role": "rule:admin_required", -+ -+ "identity:check_grant": "rule:admin_required", -+ "identity:list_grants": "rule:admin_required", -+ "identity:create_grant": "rule:admin_required", -+ "identity:revoke_grant": "rule:admin_required", -+ -+ "identity:list_role_assignments": "", -+ -+ "identity:get_policy": "rule:admin_required", -+ "identity:list_policies": "rule:admin_required", -+ "identity:create_policy": "rule:admin_required", -+ "identity:update_policy": "rule:admin_required", -+ "identity:delete_policy": "rule:admin_required", -+ -+ "identity:check_token": "rule:admin_or_token_subject", -+ "identity:validate_token": "rule:service_admin_or_token_subject", -+ "identity:validate_token_head": "rule:service_or_admin", -+ "identity:revocation_list": "rule:service_or_admin", -+ "identity:revoke_token": "rule:admin_or_token_subject", -+ -+ "identity:create_trust": "user_id:%(trust.trustor_user_id)s", -+ "identity:list_trusts": "rule:admin_required", -+ "identity:list_roles_for_trust": "", -+ "identity:get_role_for_trust": "", -+ "identity:delete_trust": "", -+ -+ "identity:create_consumer": "rule:admin_required", -+ "identity:get_consumer": "rule:admin_required", -+ "identity:list_consumers": "rule:admin_required", -+ "identity:delete_consumer": "rule:admin_required", -+ "identity:update_consumer": "rule:admin_required", -+ -+ "identity:authorize_request_token": "rule:admin_required", -+ "identity:list_access_token_roles": "rule:admin_required", -+ "identity:get_access_token_role": "rule:admin_required", -+ "identity:list_access_tokens": "rule:admin_required", -+ "identity:get_access_token": "rule:admin_required", -+ "identity:delete_access_token": "rule:admin_required", -+ -+ "identity:list_projects_for_endpoint": "rule:admin_required", -+ "identity:add_endpoint_to_project": "rule:admin_required", -+ "identity:check_endpoint_in_project": "rule:admin_required", -+ "identity:list_endpoints_for_project": "rule:admin_required", -+ "identity:remove_endpoint_from_project": "rule:admin_required", -+ -+ "identity:create_endpoint_group": "rule:admin_required", -+ "identity:list_endpoint_groups": "rule:admin_required", -+ "identity:get_endpoint_group": "rule:admin_required", -+ "identity:update_endpoint_group": "rule:admin_required", -+ "identity:delete_endpoint_group": "rule:admin_required", -+ "identity:list_projects_associated_with_endpoint_group": "rule:admin_required", -+ "identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required", -+ "identity:get_endpoint_group_in_project": "rule:admin_required", -+ "identity:list_endpoint_groups_for_project": "rule:admin_required", -+ "identity:add_endpoint_group_to_project": "rule:admin_required", -+ "identity:remove_endpoint_group_from_project": "rule:admin_required", -+ -+ "identity:create_identity_provider": "rule:admin_required", -+ "identity:list_identity_providers": "rule:admin_required", -+ "identity:get_identity_providers": "rule:admin_required", -+ "identity:update_identity_provider": "rule:admin_required", -+ "identity:delete_identity_provider": "rule:admin_required", -+ -+ "identity:create_protocol": "rule:admin_required", -+ "identity:update_protocol": "rule:admin_required", -+ "identity:get_protocol": "rule:admin_required", -+ "identity:list_protocols": "rule:admin_required", -+ "identity:delete_protocol": "rule:admin_required", -+ -+ "identity:create_mapping": "rule:admin_required", -+ "identity:get_mapping": "rule:admin_required", -+ "identity:list_mappings": "rule:admin_required", -+ "identity:delete_mapping": "rule:admin_required", -+ "identity:update_mapping": "rule:admin_required", -+ -+ "identity:create_service_provider": "rule:admin_required", -+ "identity:list_service_providers": "rule:admin_required", -+ "identity:get_service_provider": "rule:admin_required", -+ "identity:update_service_provider": "rule:admin_required", -+ "identity:delete_service_provider": "rule:admin_required", -+ -+ "identity:get_auth_catalog": "", -+ "identity:get_auth_projects": "", -+ "identity:get_auth_domains": "", -+ -+ "identity:list_projects_for_groups": "", -+ "identity:list_domains_for_groups": "", -+ -+ "identity:list_revoke_events": "", -+ -+ "identity:create_policy_association_for_endpoint": "rule:admin_required", -+ "identity:check_policy_association_for_endpoint": "rule:admin_required", -+ "identity:delete_policy_association_for_endpoint": "rule:admin_required", -+ "identity:create_policy_association_for_service": "rule:admin_required", -+ "identity:check_policy_association_for_service": "rule:admin_required", -+ "identity:delete_policy_association_for_service": "rule:admin_required", -+ "identity:create_policy_association_for_region_and_service": "rule:admin_required", -+ "identity:check_policy_association_for_region_and_service": "rule:admin_required", -+ "identity:delete_policy_association_for_region_and_service": "rule:admin_required", -+ "identity:get_policy_for_endpoint": "rule:admin_required", -+ "identity:list_endpoints_for_policy": "rule:admin_required", -+ -+ "identity:create_domain_config": "rule:admin_required", -+ "identity:get_domain_config": "rule:admin_required", -+ "identity:update_domain_config": "rule:admin_required", -+ "identity:delete_domain_config": "rule:admin_required" -+} -diff --git a/modules/openstack2/files/liberty/keystone/wmfkeystoneauth.egg-info/entry_points.txt b/modules/openstack2/files/liberty/keystone/wmfkeystoneauth.egg-info/entry_points.txt -new file mode 100644 -index 0000000..5ab1073 ---- /dev/null -+++ b/modules/openstack2/files/liberty/keystone/wmfkeystoneauth.egg-info/entry_points.txt -@@ -0,0 +1,5 @@ -+[keystone.auth.wmtotp] -+default = wmfkeystoneauth.wmtotp:Wmtotp -+ -+[keystone.auth.password] -+whitelist = wmfkeystoneauth.password_whitelist:PasswordWhitelist -diff --git a/modules/openstack2/files/liberty/keystone/wmfkeystoneauth/__init__.py b/modules/openstack2/files/liberty/keystone/wmfkeystoneauth/__init__.py -new file mode 100644 -index 0000000..e69de29 -diff --git a/modules/openstack2/files/liberty/keystone/wmfkeystoneauth/password_whitelist.py b/modules/openstack2/files/liberty/keystone/wmfkeystoneauth/password_whitelist.py -new file mode 100644 -index 0000000..2a1d4ed ---- /dev/null -+++ b/modules/openstack2/files/liberty/keystone/wmfkeystoneauth/password_whitelist.py -@@ -0,0 +1,72 @@ -+# Copyright 2016 Andrew Bogott for the Wikimedia Foundation -+# -+# Licensed under the Apache License, Version 2.0 (the "License"); you may -+# not use this file except in compliance with the License. You may obtain -+# a copy of the License at -+# -+# http://www.apache.org/licenses/LICENSE-2.0 -+# -+# Unless required by applicable law or agreed to in writing, software -+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -+# License for the specific language governing permissions and limitations -+# under the License. -+ -+from netaddr import IPNetwork, IPAddress -+ -+from oslo_log import log -+from oslo_config import cfg -+ -+from keystone.auth import plugins as auth_plugins -+from keystone.auth.plugins import password -+from keystone import exception -+from keystone.i18n import _ -+ -+METHOD_NAME = 'password' -+ -+LOG = log.getLogger(__name__) -+ -+whitelist_ops = [ -+ cfg.MultiStrOpt('password_whitelist', -+ default=[], -+ help='user:ip range permitted to use password auth.' -+ 'also supports a simple one-character * wildcard' -+ 'for user.'), -+] -+ -+CONF = cfg.CONF -+CONF.register_opts(whitelist_ops, group='auth') -+ -+ -+def check_whitelist(user_id, remote_addr): -+ """Return True if the user_id/remote_addr combination is in our whitelist. -+ Otherwise, return raise Unauthorized""" -+ LOG.debug("Auth request for user %s from %s" % (user_id, -+ remote_addr)) -+ -+ for entry in CONF.auth.password_whitelist: -+ user, subnet = entry.split(':', 1) -+ if user == "*" or user_id == user: -+ if IPAddress(remote_addr) in IPNetwork(subnet): -+ return True -+ -+ LOG.warn('Password auth not allowed for %s from %s' % (user_id, -+ remote_addr)) -+ -+ msg = _('Password auth not allowed for this username from this ip.') -+ raise exception.Unauthorized(msg) -+ -+ -+class PasswordWhitelist(password.Password): -+ -+ def authenticate(self, context, auth_payload, auth_context): -+ """Verify username and password but only allow access for configured -+ accounts and from configured IP ranges.""" -+ -+ user_info = auth_plugins.UserAuthInfo.create(auth_payload, METHOD_NAME) -+ check_whitelist(user_info.user_id, -+ context['environment']['REMOTE_ADDR']) -+ -+ return super(PasswordWhitelist, self).authenticate(context, -+ auth_payload, -+ auth_context) -diff --git a/modules/openstack2/files/liberty/keystone/wmfkeystoneauth/wikitechclient.py b/modules/openstack2/files/liberty/keystone/wmfkeystoneauth/wikitechclient.py -new file mode 100644 -index 0000000..33527a1 ---- /dev/null -+++ b/modules/openstack2/files/liberty/keystone/wmfkeystoneauth/wikitechclient.py -@@ -0,0 +1,61 @@ -+# Copyright 2016 Wikimedia Foundation -+# -+# This is part of a custom Keystone auth extension specific to Wikimedia Labs. -+# -+# Licensed under the Apache License, Version 2.0 (the "License"); you may -+# not use this file except in compliance with the License. You may obtain -+# a copy of the License at -+# -+# http://www.apache.org/licenses/LICENSE-2.0 -+# -+# Unless required by applicable law or agreed to in writing, software -+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -+# License for the specific language governing permissions and limitations -+# under the License. -+ -+import mwclient -+ -+from oslo_log import log -+ -+LOG = log.getLogger(__name__) -+ -+ -+class WikitechClient(object): -+ """MediaWiki client, used for checking oath creds against Wikitech""" -+ -+ def __init__( -+ self, host, -+ consumer_token, consumer_secret, -+ access_token, access_secret -+ ): -+ self.site = self._site_for_host( -+ host, consumer_token, -+ consumer_secret, access_token, access_secret) -+ -+ @classmethod -+ def _site_for_host( -+ cls, host, -+ consumer_token, consumer_secret, -+ access_token, access_secret -+ ): -+ return mwclient.Site( -+ host, -+ consumer_token=consumer_token, -+ consumer_secret=consumer_secret, -+ access_token=access_token, -+ access_secret=access_secret, -+ clients_useragent='Keystone', -+ force_login=True -+ ) -+ -+ # Returns a dict with two members: 'valid' and 'enabled'. -+ def oathvalidate(self, username, totp): -+ token = self.site.get_token('csrf', force=True) -+ result = self.site.api( -+ 'oathvalidate', formatversion=2, -+ user=username, -+ totp=totp, -+ token=token -+ ) -+ return result['oathvalidate'] -diff --git a/modules/openstack2/files/liberty/keystone/wmfkeystoneauth/wmtotp.py b/modules/openstack2/files/liberty/keystone/wmfkeystoneauth/wmtotp.py -new file mode 100644 -index 0000000..370a0be ---- /dev/null -+++ b/modules/openstack2/files/liberty/keystone/wmfkeystoneauth/wmtotp.py -@@ -0,0 +1,118 @@ -+# Copyright 2016 Wikimedia Foundation -+# -+# (this is a custom hack local to the Wikimedia Labs deployment) -+# -+# Licensed under the Apache License, Version 2.0 (the "License"); you may -+# not use this file except in compliance with the License. You may obtain -+# a copy of the License at -+# -+# http://www.apache.org/licenses/LICENSE-2.0 -+# -+# Unless required by applicable law or agreed to in writing, software -+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -+# License for the specific language governing permissions and limitations -+# under the License. -+ -+from oslo_log import log -+from oslo_config import cfg -+ -+from keystone import auth -+from keystone.auth import plugins as auth_plugins -+import password_whitelist -+from keystone.common import dependency -+from keystone import exception -+from keystone.i18n import _ -+ -+import wikitechclient -+ -+METHOD_NAME = 'wmtotp' -+ -+LOG = log.getLogger(__name__) -+CONF = cfg.CONF -+ -+oathoptions = [ -+ cfg.StrOpt('dbuser', -+ default='wiki_user', -+ help='Database user for retrieving OATH secret.'), -+ cfg.StrOpt('dbpass', -+ default='12345', -+ help='Database password for retrieving OATH secret.'), -+ cfg.StrOpt('dbhost', -+ default='localhost', -+ help='Database host for retrieving OATH secret.'), -+ cfg.StrOpt('dbname', -+ default='labswiki', -+ help='Database name for retrieving OATH secret.'), -+ cfg.StrOpt('wikitech_host', -+ default='wikitech.wikimedia.org', -+ help='fqdn for the mediawiki host that supports the oath api'), -+ cfg.StrOpt('wikitech_consumer_token'), -+ cfg.StrOpt('wikitech_consumer_secret'), -+ cfg.StrOpt('wikitech_access_token'), -+ cfg.StrOpt('wikitech_access_secret'), -+] -+ -+for option in oathoptions: -+ CONF.register_opt(option, group='oath') -+ -+ [email protected]('identity_api') -+class Wmtotp(auth.AuthMethodHandler): -+ -+ method = METHOD_NAME -+ -+ def authenticate(self, context, auth_payload, auth_context): -+ """Try to authenticate against the identity backend.""" -+ user_info = auth_plugins.UserAuthInfo.create(auth_payload, self.method) -+ -+ # Before we do anything else, make sure that this user is allowed -+ # access from their source IP -+ password_whitelist.check_whitelist(user_info.user_id, -+ context['environment']['REMOTE_ADDR']) -+ -+ # FIXME(gyee): identity.authenticate() can use some refactoring since -+ # all we care is password matches -+ try: -+ self.identity_api.authenticate( -+ context, -+ user_id=user_info.user_id, -+ password=user_info.password) -+ except AssertionError: -+ # authentication failed because of invalid username or password -+ msg = _('Invalid username or password') -+ raise exception.Unauthorized(msg) -+ -+ # Password auth succeeded, check two-factor -+ # LOG.debug("OATH: Doing 2FA for user_info " + -+ # ( "%s(%r)" % (user_info.__class__, user_info.__dict__) ) ) -+ # LOG.debug("OATH: Doing 2FA for auth_payload " + -+ # ( "%s(%r)" % (auth_payload.__class__, auth_payload) ) ) -+ if 'totp' not in auth_payload['user']: -+ LOG.debug("OATH: 2FA failed, missing totp param") -+ msg = _('Missing two-factor token') -+ raise exception.Unauthorized(msg) -+ -+ wtclient = wikitechclient.WikitechClient( -+ CONF.oath.wikitech_host, -+ CONF.oath.wikitech_consumer_token, -+ CONF.oath.wikitech_consumer_secret, -+ CONF.oath.wikitech_access_token, -+ CONF.oath.wikitech_access_secret) -+ valid = wtclient.oathvalidate(user_info.user_ref['name'], -+ auth_payload['user']['totp']) -+ -+ if valid['enabled']: -+ if valid['valid']: -+ LOG.debug("OATH: 2FA passed") -+ else: -+ LOG.debug("OATH: 2FA failed") -+ msg = _('Invalid two-factor token') -+ raise exception.Unauthorized(msg) -+ else: -+ LOG.debug("OATH: user '%s' does not have 2FA enabled.", -+ user_info.user_ref['name']) -+ msg = _('2FA is not enabled; login forbidden') -+ raise exception.Unauthorized(msg) -+ -+ auth_context['user_id'] = user_info.user_id -diff --git a/modules/openstack2/manifests/keystone/cleanup.pp b/modules/openstack2/manifests/keystone/cleanup.pp -new file mode 100644 -index 0000000..7ac1ca8 ---- /dev/null -+++ b/modules/openstack2/manifests/keystone/cleanup.pp -@@ -0,0 +1,52 @@ -+class openstack2::keystone::cleanup ( -+ $active, -+ $db_user, -+ $db_pass, -+ $db_host, -+ $db_name, -+ ) { -+ -+ # Cron doesn't take a bool -+ if $active { -+ $ensure = 'present' -+ } -+ else { -+ $ensure = 'absent' -+ } -+ -+ # Clean up expired keystone tokens, because otherwise keystone leaves them -+ # around forever. -+ cron { -+ 'cleanup_expired_keystone_tokens': -+ ensure => $ensure, -+ user => 'root', -+ minute => 20, -+ command => '/usr/bin/keystone-manage token_flush > /dev/null 2>&1', -+ } -+ -+ # Clean up service user tokens. These tend to pile up -+ # quickly, and are never used for Horizon sessions. -+ # so, don't wait for them to expire, just delete them -+ # after a few hours. -+ # -+ # Tokens only know when they expire and not when they -+ # were created. Since token lifespan is 7.1 -+ # days (613440 seconds), any token that expires -+ # less than 7 days from now is already at least -+ # 2 hours old. -+ cron { -+ 'cleanup_novaobserver_keystone_tokens': -+ ensure => $ensure, -+ user => 'root', -+ minute => 30, -+ command => "/usr/bin/mysql ${db_name} -h${db_host} -u${db_user} -p${db_pass} -e 'DELETE FROM token WHERE user_id=\"novaobserver\" AND NOW() + INTERVAL 7 day > expires LIMIT 10000;'", -+ } -+ -+ cron { -+ 'cleanup_novaadmin_keystone_tokens': -+ ensure => $ensure, -+ user => 'root', -+ minute => 40, -+ command => "/usr/bin/mysql ${db_name} -h${db_host} -u${db_user} -p${db_pass} -e 'DELETE FROM token WHERE user_id=\"novaadmin\" AND NOW() + INTERVAL 7 day > expires LIMIT 10000;'", -+ } -+} -diff --git a/modules/openstack2/manifests/keystone/hooks.pp b/modules/openstack2/manifests/keystone/hooks.pp -new file mode 100644 -index 0000000..a99fef0 ---- /dev/null -+++ b/modules/openstack2/manifests/keystone/hooks.pp -@@ -0,0 +1,25 @@ -+# Hook keystone notification events for custom -+# project swizzling -+class openstack2::keystone::hooks( -+ $version, -+ ) { -+ include openstack2::keystone::service -+ -+ file { '/usr/lib/python2.7/dist-packages/wmfkeystonehooks': -+ source => "puppet:///modules/openstack/${version}/keystone/wmfkeystonehooks", -+ owner => 'root', -+ group => 'root', -+ mode => '0644', -+ recurse => true, -+ notify => Service['keystone'], -+ } -+ -+ file { '/usr/lib/python2.7/dist-packages/wmfkeystonehooks.egg-info': -+ source => "puppet:///modules/openstack/${version}/keystone/wmfkeystonehooks.egg-info", -+ owner => 'root', -+ group => 'root', -+ mode => '0644', -+ recurse => true, -+ notify => Service['keystone'], -+ } -+} -diff --git a/modules/openstack2/manifests/keystone/monitor.pp b/modules/openstack2/manifests/keystone/monitor.pp -new file mode 100644 -index 0000000..3b2c243 ---- /dev/null -+++ b/modules/openstack2/manifests/keystone/monitor.pp -@@ -0,0 +1,47 @@ -+# == Class: openstack::keystone::monitor -+# NRPE checks to make sure that the right keystone projects -+# exist and that projects have the proper service users. -+# -+# This also checks the functionality of the keystone API generally. -+ -+class openstack2::keystone::monitor() { -+ -+ # Script to check all keystone projects for a given user and role -+ file { '/usr/local/bin/check_keystone_roles.py': -+ ensure => present, -+ source => 'puppet:///modules/openstack/check_keystone_roles.py', -+ mode => '0755', -+ owner => 'root', -+ group => 'root', -+ } -+ -+ # Script to make sure that service projects e.g. 'admin' exists -+ file { '/usr/local/bin/check_keystone_projects.py': -+ ensure => present, -+ source => 'puppet:///modules/openstack/check_keystone_projects.py', -+ mode => '0755', -+ owner => 'root', -+ group => 'root', -+ } -+ -+ # Make sure 'novaobserver' has 'observer' everywhere -+ nrpe::monitor_service { 'check-novaobserver-membership': -+ nrpe_command => '/usr/local/bin/check_keystone_roles.py novaobserver observer', -+ description => 'novaobserver has only observer role', -+ require => File['/usr/local/bin/check_keystone_roles.py'], -+ } -+ -+ # Make sure 'novaadmin' has 'projectadmin' and 'user' everywhere -+ nrpe::monitor_service { 'check-novaadmin-membership': -+ nrpe_command => '/usr/local/bin/check_keystone_roles.py novaadmin user projectadmin', -+ description => 'novaadmin has roles in every project', -+ require => File['/usr/local/bin/check_keystone_roles.py'], -+ } -+ -+ # Verify service projects -+ nrpe::monitor_service { 'check-keystone-projects': -+ nrpe_command => '/usr/local/bin/check_keystone_projects.py', -+ description => 'Keystone admin and observer projects exist', -+ require => File['/usr/local/bin/check_keystone_roles.py'], -+ } -+} -diff --git a/modules/openstack2/manifests/keystone/service.pp b/modules/openstack2/manifests/keystone/service.pp -new file mode 100644 -index 0000000..654bd10 ---- /dev/null -+++ b/modules/openstack2/manifests/keystone/service.pp -@@ -0,0 +1,218 @@ -+# keystone is the identity service of openstack -+# http://docs.openstack.org/developer/keystone/ -+ -+class openstack2::keystone::service( -+ $version, -+ $nova_controller, -+ $osm_host, -+ $db_name, -+ $db_user, -+ $db_pass, -+ $db_host, -+ $token_driver, -+ $ldap_hosts, -+ $ldap_base_dn, -+ $ldap_user_id_attribute, -+ $ldap_user_name_attribute, -+ $ldap_user_dn, -+ $ldap_user_pass, -+ $auth_protocol, -+ $auth_port, -+ $wiki_status_page_prefix, -+ $wiki_status_consumer_token, -+ $wiki_status_consumer_secret, -+ $wiki_status_access_token, -+ $wiki_status_access_secret, -+ $wiki_consumer_token, -+ $wiki_consumer_secret, -+ $wiki_access_token, -+ $wiki_access_secret, -+ ) { -+ -+ #include ::openstack::keystone::hooks -+ include ::network::constants -+ $prod_networks = $network::constants::production_networks -+ $labs_networks = $network::constants::labs_networks -+ -+ package { 'keystone': -+ ensure => present, -+ } -+ package { 'python-oath': -+ ensure => present, -+ } -+ package { 'python-mysql.connector': -+ ensure => present, -+ } -+ -+ if $token_driver == 'redis' { -+ package { 'python-keystone-redis': -+ ensure => present; -+ } -+ } -+ -+ file { -+ '/var/log/keystone': -+ ensure => directory, -+ owner => 'keystone', -+ group => 'www-data', -+ mode => '0775'; -+ '/var/log/keystone/uwsgi': -+ ensure => directory, -+ owner => 'www-data', -+ group => 'www-data', -+ mode => '0755'; -+ '/etc/keystone': -+ ensure => directory, -+ owner => 'keystone', -+ group => 'keystone', -+ mode => '0755'; -+ '/etc/keystone/keystone.conf': -+ content => template("openstack2/${version}/keystone/keystone.conf.erb"), -+ owner => 'keystone', -+ group => 'keystone', -+ notify => Service['uwsgi-keystone-admin', 'uwsgi-keystone-public'], -+ require => Package['keystone'], -+ mode => '0444'; -+ '/etc/keystone/keystone-paste.ini': -+ source => "puppet:///modules/openstack2/${version}/keystone/keystone-paste.ini", -+ mode => '0644', -+ owner => 'root', -+ group => 'root', -+ notify => Service['uwsgi-keystone-admin', 'uwsgi-keystone-public'], -+ require => Package['keystone']; -+ '/etc/keystone/policy.json': -+ source => "puppet:///modules/openstack2/${version}/keystone/policy.json", -+ mode => '0644', -+ owner => 'root', -+ group => 'root', -+ notify => Service['uwsgi-keystone-admin', 'uwsgi-keystone-public'], -+ require => Package['keystone']; -+ '/etc/keystone/logging.conf': -+ source => "puppet:///modules/openstack2/${version}/keystone/logging.conf", -+ mode => '0644', -+ owner => 'root', -+ group => 'root', -+ notify => Service['uwsgi-keystone-admin', 'uwsgi-keystone-public'], -+ require => Package['keystone']; -+ '/usr/lib/python2.7/dist-packages/wmfkeystoneauth': -+ source => "puppet:///modules/openstack2/${version}/keystone/wmfkeystoneauth", -+ owner => 'root', -+ group => 'root', -+ mode => '0644', -+ notify => Service['uwsgi-keystone-admin', 'uwsgi-keystone-public'], -+ recurse => true; -+ '/usr/lib/python2.7/dist-packages/wmfkeystoneauth.egg-info': -+ source => "puppet:///modules/openstack2/${version}/keystone/wmfkeystoneauth.egg-info", -+ owner => 'root', -+ group => 'root', -+ mode => '0644', -+ notify => Service['uwsgi-keystone-admin', 'uwsgi-keystone-public'], -+ recurse => true; -+ } -+ -+ logrotate::conf { 'keystone-public-uwsgi': -+ ensure => present, -+ source => 'puppet:///modules/openstack2/keystone-public-uwsgi.logrotate', -+ } -+ -+ logrotate::conf { 'keystone-admin-uwsgi': -+ ensure => present, -+ source => 'puppet:///modules/openstack2/keystone-admin-uwsgi.logrotate', -+ } -+ -+ if $::fqdn == $nova_controller { -+ -+ monitoring::service { 'keystone-http-35357': -+ description => 'keystone admin endpoint', -+ check_command => 'check_http_on_port!35357', -+ } -+ -+ monitoring::service { 'keystone-http-5000': # v2 api is limited here -+ description => 'keystone public endoint', -+ check_command => 'check_http_on_port!5000', -+ } -+ -+ if ($version == 'liberty') { -+ # Keystone says that you should run it with uwsgi in Liberty, -+ # but it's actually buggy and terrible in that config. So, use eventlet -+ # ('keystone' service) on liberty, and we'll try uwsgi again on mitaka. -+ $enable_uwsgi = false -+ -+ service { 'keystone': -+ ensure => running, -+ subscribe => File['/etc/keystone/keystone.conf'], -+ require => Package['keystone']; -+ } -+ service { 'uwsgi-keystone-admin': -+ ensure => stopped, -+ } -+ service { 'uwsgi-keystone-public': -+ ensure => stopped, -+ } -+ } else { -+ $enable_uwsgi = true -+ -+ # stop the keystone process itself; this will be handled -+ # by uwsgi -+ service { 'keystone': -+ ensure => stopped, -+ require => Package['keystone']; -+ } -+ file {'/etc/init/keystone.conf': -+ ensure => 'absent'; -+ } -+ } -+ } else { -+ $enable_uwsgi = false -+ -+ # Because of the enabled => false, the uwsgi::app -+ # declarations below don't actually define -+ # services for the keystone processes. We need -+ # to define them here (even though they're stopped) -+ # so we can refer to them elsewhere. -+ service { 'uwsgi-keystone-admin': -+ ensure => stopped, -+ } -+ service { 'uwsgi-keystone-public': -+ ensure => stopped, -+ } -+ service { 'keystone': -+ ensure => stopped, -+ require => Package['keystone']; -+ } -+ } -+ -+ # Set up uwsgi services -+ -+ # Keystone admin API -+ uwsgi::app { 'keystone-admin': -+ enabled => $enable_uwsgi, -+ settings => { -+ uwsgi => { -+ die-on-term => true, -+ http => "0.0.0.0:${auth_port}", -+ logger => 'file:/var/log/keystone/uwsgi/keystone-admin-uwsgi.log', -+ master => true, -+ name => 'keystone', -+ plugins => 'python, python3, logfile', -+ processes => '20', -+ wsgi-file => '/usr/bin/keystone-wsgi-admin', -+ }, -+ }, -+ } -+ uwsgi::app { 'keystone-public': -+ enabled => $enable_uwsgi, -+ settings => { -+ uwsgi => { -+ die-on-term => true, -+ http => '0.0.0.0:5000', -+ logger => 'file:/var/log/keystone/uwsgi/keystone-public-uwsgi.log', -+ master => true, -+ name => 'keystone', -+ plugins => 'python, python3, logfile', -+ processes => '20', -+ wsgi-file => '/usr/bin/keystone-wsgi-public', -+ }, -+ }, -+ } -+} -diff --git a/modules/openstack2/templates/liberty/keystone/keystone.conf.erb b/modules/openstack2/templates/liberty/keystone/keystone.conf.erb -new file mode 100644 -index 0000000..858b9a9 ---- /dev/null -+++ b/modules/openstack2/templates/liberty/keystone/keystone.conf.erb -@@ -0,0 +1,413 @@ -+[DEFAULT] -+ -+# -+# From keystone -+# -+ -+# A "shared secret" that can be used to bootstrap Keystone. This "token" does -+# not represent a user, and carries no explicit authorization. To disable in -+# production (highly recommended), remove AdminTokenAuthMiddleware from your -+# paste application pipelines (for example, in keystone-paste.ini). (string -+# value) -+#admin_token = <None> -+ -+# The base public endpoint URL for Keystone that is advertised to clients -+# (NOTE: this does NOT affect how Keystone listens for connections). Defaults -+# to the base host URL of the request. E.g. a request to -+# http://server:5000/v3/users will default to http://server:5000. You should -+# only need to set this value if the base URL contains a path (e.g. /prefix/v3) -+# or the endpoint should be found on a different server. (string value) -+#public_endpoint = <None> -+ -+# The base admin endpoint URL for Keystone that is advertised to clients (NOTE: -+# this does NOT affect how Keystone listens for connections). Defaults to the -+# base host URL of the request. E.g. a request to http://server:35357/v3/users -+# will default to http://server:35357. You should only need to set this value -+# if the base URL contains a path (e.g. /prefix/v3) or the endpoint should be -+# found on a different server. (string value) -+#admin_endpoint = <None> -+ -+# Maximum depth of the project hierarchy. WARNING: setting it to a large value -+# may adversely impact performance. (integer value) -+#max_project_tree_depth = 5 -+ -+# Limit the sizes of user & project ID/names. (integer value) -+#max_param_size = 64 -+ -+# Similar to max_param_size, but provides an exception for token values. -+# (integer value) -+#max_token_size = 8192 -+ -+# Similar to the member_role_name option, this represents the default role ID -+# used to associate users with their default projects in the v2 API. This will -+# be used as the explicit role where one is not specified by the v2 API. -+# (string value) -+#member_role_id = 9fe2ff9ee4384b1894a90878d3e92bab -+ -+# This is the role name used in combination with the member_role_id option; see -+# that option for more detail. (string value) -+member_role_name = user -+ -+# The value passed as the keyword "rounds" to passlib's encrypt method. -+# (integer value) -+# Minimum value: 1000 -+# Maximum value: 100000 -+#crypt_strength = 10000 -+ -+# The maximum number of entities that will be returned in a collection, with no -+# limit set by default. This global limit may be then overridden for a specific -+# driver, by specifying a list_limit in the appropriate section (e.g. -+# [assignment]). (integer value) -+#list_limit = <None> -+ -+# Set this to false if you want to enable the ability for user, group and -+# project entities to be moved between domains by updating their domain_id. -+# Allowing such movement is not recommended if the scope of a domain admin is -+# being restricted by use of an appropriate policy file (see -+# policy.v3cloudsample as an example). (boolean value) -+#domain_id_immutable = true -+ -+# If set to true, strict password length checking is performed for password -+# manipulation. If a password exceeds the maximum length, the operation will -+# fail with an HTTP 403 Forbidden error. If set to false, passwords are -+# automatically truncated to the maximum length. (boolean value) -+#strict_password_check = false -+ -+# The HTTP header used to determine the scheme for the original request, even -+# if it was removed by an SSL terminating proxy. Typical value is -+# "HTTP_X_FORWARDED_PROTO". (string value) -+#secure_proxy_ssl_header = <None> -+ -+# -+# From keystone.notifications -+# -+ -+# Default publisher_id for outgoing notifications (string value) -+#default_publisher_id = <None> -+ -+# Define the notification format for Identity Service events. A "basic" -+# notification has information about the resource being operated on. A "cadf" -+# notification has the same information, as well as information about the -+# initiator of the event. (string value) -+# Allowed values: basic, cadf -+#notification_format = basic -+ -+# -+# From oslo.log -+# -+ -+# Print debugging output (set logging level to DEBUG instead of default INFO -+# level). (boolean value) -+debug = false -+ -+# If set to false, will disable INFO logging level, making WARNING the default. -+# (boolean value) -+# This option is deprecated for removal. -+# Its value may be silently ignored in the future. -+verbose = false -+ -+# The name of a logging configuration file. This file is appended to any -+# existing logging configuration files. For details about logging configuration -+# files, see the Python logging module documentation. (string value) -+# Deprecated group/name - [DEFAULT]/log_config -+log_config_append = /etc/keystone/logging.conf -+ -+# DEPRECATED. A logging.Formatter log message format string which may use any -+# of the available logging.LogRecord attributes. This option is deprecated. -+# Please use logging_context_format_string and logging_default_format_string -+# instead. (string value) -+#log_format = <None> -+ -+# Format string for %%(asctime)s in log records. Default: %(default)s . (string -+# value) -+#log_date_format = %Y-%m-%d %H:%M:%S -+ -+# (Optional) Name of log file to output to. If no default is set, logging will -+# go to stdout. (string value) -+# Deprecated group/name - [DEFAULT]/logfile -+log_file = keystone.log -+ -+# (Optional) The base directory used for relative --log-file paths. (string -+# value) -+# Deprecated group/name - [DEFAULT]/logdir -+log_dir = /var/log/keystone -+ -+# Use syslog for logging. Existing syslog format is DEPRECATED and will be -+# changed later to honor RFC5424. (boolean value) -+#use_syslog = false -+ -+# (Optional) Enables or disables syslog rfc5424 format for logging. If enabled, -+# prefixes the MSG part of the syslog message with APP-NAME (RFC5424). The -+# format without the APP-NAME is deprecated in Kilo, and will be removed in -+# Mitaka, along with this option. (boolean value) -+# This option is deprecated for removal. -+# Its value may be silently ignored in the future. -+#use_syslog_rfc_format = true -+ -+# Syslog facility to receive log lines. (string value) -+#syslog_log_facility = LOG_USER -+ -+# Log output to standard error. (boolean value) -+#use_stderr = true -+ -+# Format string to use for log messages with context. (string value) -+#logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s -+ -+# Format string to use for log messages without context. (string value) -+#logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s -+ -+# Data to append to log format when level is DEBUG. (string value) -+#logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d -+ -+# Prefix each line of exception output with this format. (string value) -+#logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s -+ -+# List of logger=LEVEL pairs. (list value) -+#default_log_levels = amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,oslo.messaging=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN,urllib3.connectionpool=WARN,websocket=WARN,requests.packages.urllib3.util.retry=WARN,urllib3.util.retry=WARN,keystonemiddleware=WARN,routes.middleware=WARN,stevedore=WARN,taskflow=WARN -+ -+# Enables or disables publication of error events. (boolean value) -+#publish_errors = false -+ -+# The format for an instance that is passed with the log message. (string -+# value) -+#instance_format = "[instance: %(uuid)s] " -+ -+# The format for an instance UUID that is passed with the log message. (string -+# value) -+#instance_uuid_format = "[instance: %(uuid)s] " -+ -+# Enables or disables fatal status of deprecations. (boolean value) -+#fatal_deprecations = false -+ -+# -+# From oslo.messaging -+# -+ -+# Size of RPC connection pool. (integer value) -+# Deprecated group/name - [DEFAULT]/rpc_conn_pool_size -+#rpc_conn_pool_size = 30 -+ -+# ZeroMQ bind address. Should be a wildcard (*), an ethernet interface, or IP. -+# The "host" option should point or resolve to this address. (string value) -+#rpc_zmq_bind_address = * -+ -+# MatchMaker driver. (string value) -+#rpc_zmq_matchmaker = local -+ -+# ZeroMQ receiver listening port. (integer value) -+#rpc_zmq_port = 9501 -+ -+# Number of ZeroMQ contexts, defaults to 1. (integer value) -+#rpc_zmq_contexts = 1 -+ -+# Maximum number of ingress messages to locally buffer per topic. Default is -+# unlimited. (integer value) -+#rpc_zmq_topic_backlog = <None> -+ -+# Directory for holding IPC sockets. (string value) -+#rpc_zmq_ipc_dir = /var/run/openstack -+ -+# Name of this node. Must be a valid hostname, FQDN, or IP address. Must match -+# "host" option, if running Nova. (string value) -+#rpc_zmq_host = localhost -+ -+# Seconds to wait before a cast expires (TTL). Only supported by impl_zmq. -+# (integer value) -+#rpc_cast_timeout = 30 -+ -+# Heartbeat frequency. (integer value) -+#matchmaker_heartbeat_freq = 300 -+ -+# Heartbeat time-to-live. (integer value) -+#matchmaker_heartbeat_ttl = 600 -+ -+# Size of executor thread pool. (integer value) -+# Deprecated group/name - [DEFAULT]/rpc_thread_pool_size -+#executor_thread_pool_size = 64 -+ -+# The Drivers(s) to handle sending notifications. Possible values are -+# messaging, messagingv2, routing, log, test, noop (multi valued) -+notification_driver = wmfkeystonehooks -+ -+# Login info for wikitech, for project page updates -+wiki_host=<%= @osm_host %> -+wiki_page_prefix=<%= @wiki_status_page_prefix %> -+wiki_consumer_token=<%= @wiki_status_consumer_token %> -+wiki_consumer_secret=<%= @wiki_status_consumer_secret %> -+wiki_access_token=<%= @wiki_status_access_token %> -+wiki_access_secret=<%= @wiki_status_access_secret %> -+ -+# AMQP topic used for OpenStack notifications. (list value) -+# Deprecated group/name - [rpc_notifier2]/topics -+#notification_topics = notifications -+ -+# Seconds to wait for a response from a call. (integer value) -+#rpc_response_timeout = 60 -+ -+# A URL representing the messaging driver to use and its full configuration. If -+# not set, we fall back to the rpc_backend option and driver specific -+# configuration. (string value) -+#transport_url = <None> -+ -+# The messaging driver to use, defaults to rabbit. Other drivers include qpid -+# and zmq. (string value) -+#rpc_backend = rabbit -+ -+# The default exchange under which topics are scoped. May be overridden by an -+# exchange name specified in the transport_url option. (string value) -+#control_exchange = keystone -+ -+# -+# From oslo.service.service -+# -+ -+# Enables or disables logging values of all registered options when starting a -+# service (at DEBUG level). (boolean value) -+#log_options = true -+ -+[assignment] -+driver = sql -+ -+[sql] -+# the timeout before idle sql connections are reaped -+# idle_timeout = 200 -+ -+[database] -+# The SQLAlchemy connection string used to connect to the database -+connection = mysql://<%= @db_user %>:<%= @db_pass %>@<%= @db_host %>/<%= @db_name %> -+ -+[identity] -+driver = ldap -+ -+[cache] -+ -+# -+# From keystone -+# -+ -+# Prefix for building the configuration dictionary for the cache region. This -+# should not need to be changed unless there is another dogpile.cache region -+# with the same configuration name. (string value) -+#config_prefix = cache.keystone -+ -+# Default TTL, in seconds, for any cached item in the dogpile.cache region. -+# This applies to any cached method that doesn't have an explicit cache -+# expiration time defined for it. (integer value) -+#expiration_time = 600 -+ -+# Dogpile.cache backend module. It is recommended that Memcache with pooling -+# (keystone.cache.memcache_pool) or Redis (dogpile.cache.redis) be used in -+# production deployments. Small workloads (single process) like devstack can -+# use the dogpile.cache.memory backend. (string value) -+#backend = keystone.common.cache.noop -+ -+# Arguments supplied to the backend module. Specify this option once per -+# argument to be passed to the dogpile.cache backend. Example format: -+# "<argname>:<value>". (multi valued) -+#backend_argument = -+ -+# Proxy classes to import that will affect the way the dogpile.cache backend -+# functions. See the dogpile.cache documentation on changing-backend-behavior. -+# (list value) -+#proxies = -+ -+# Global toggle for all caching using the should_cache_fn mechanism. (boolean -+# value) -+#enabled = false -+ -+# Extra debugging from the cache backend (cache keys, get/set/delete/etc -+# calls). This is only really useful if you need to see the specific cache- -+# backend get/set/delete calls with the keys/values. Typically this should be -+# left set to false. (boolean value) -+#debug_cache_backend = false -+ -+# Memcache servers in the format of "host:port". (dogpile.cache.memcache and -+# keystone.cache.memcache_pool backends only). (list value) -+#memcache_servers = localhost:11211 -+ -+# Number of seconds memcached server is considered dead before it is tried -+# again. (dogpile.cache.memcache and keystone.cache.memcache_pool backends -+# only). (integer value) -+#memcache_dead_retry = 300 -+ -+# Timeout in seconds for every call to a server. (dogpile.cache.memcache and -+# keystone.cache.memcache_pool backends only). (integer value) -+#memcache_socket_timeout = 3 -+ -+# Max total number of open connections to every memcached server. -+# (keystone.cache.memcache_pool backend only). (integer value) -+#memcache_pool_maxsize = 10 -+ -+# Number of seconds a connection to memcached is held unused in the pool before -+# it is closed. (keystone.cache.memcache_pool backend only). (integer value) -+#memcache_pool_unused_timeout = 60 -+ -+# Number of seconds that an operation will wait to get a memcache client -+# connection. (integer value) -+#memcache_pool_connection_get_timeout = 10 -+ -+[catalog] -+# dynamic, sql-based backend (supports API/CLI-based management commands) -+driver = sql -+ -+# static, file-based backend (does *NOT* support any management commands) -+# driver = keystone.catalog.backends.templated.TemplatedCatalog -+ -+# template_file = default_catalog.templates -+ -+[token] -+provider = uuid -+driver = sql -+ -+# Amount of time a token should remain valid (in seconds) -+# Using 7.1 days, as we'll set MediaWiki to 7 days -+expiration = 613440 -+ -+[policy] -+driver = rules -+ -+[signing] -+#provider = uuid -+#certfile = /etc/keystone/ssl/certs/signing_cert.pem -+#keyfile = /etc/keystone/ssl/private/signing_key.pem -+#ca_certs = /etc/keystone/ssl/certs/ca.pem -+#key_size = 1024 -+#valid_days = 3650 -+#ca_password = None -+#token_format = PKI -+ -+[ldap] -+url = <% @ldap_hosts.each do |ldap_host| %>ldap://<%= ldap_host %>,<% end %> -+tree_dn = <%= @ldap_base_dn %> -+user_tree_dn = ou=people,<%= @ldap_base_dn %> -+user_id_attribute = <%= @ldap_user_id_attribute %> -+user_name_attribute = <%= @ldap_user_name_attribute %> -+user = <%= @ldap_user_dn %> -+password = <%= @ldap_user_pass %> -+ -+[auth] -+methods = external,password,token,wmtotp -+ -+# Override the default password plugin with a custom -+# one that checks source IPs. -+password = whitelist -+ -+<% @labs_networks.each do |subnet| -%> -+password_whitelist = novaobserver:<%=subnet%> -+<% end -%> -+<% @prod_networks.each do |subnet| -%> -+password_whitelist = *:<%=subnet%> -+<% end -%> -+ -+[oath] -+wikitech_host = <%=@osm_host %> -+wikitech_consumer_token = <%= @wiki_consumer_token %> -+wikitech_consumer_secret = <%= @wiki_consumer_secret %> -+wikitech_access_token = <%= @wiki_access_token %> -+wikitech_access_secret = <%= @wiki_access_secret %> -+ -+[wmfhooks] -+ -+admin_pass = <%= @ldap_user_pass %> -+auth_url = <%= @auth_protocol %>://<%= @fqdn %>:<%= @auth_port %>/v3 -+ -diff --git a/modules/profile/manifests/openstack/base/keystone/hooks.pp b/modules/profile/manifests/openstack/base/keystone/hooks.pp -new file mode 100644 -index 0000000..ad55178 ---- /dev/null -+++ b/modules/profile/manifests/openstack/base/keystone/hooks.pp -@@ -0,0 +1,8 @@ -+class profile::openstack::base::keystone::hooks( -+ $version = hiera('profile::openstack::base::version'), -+ ) { -+ -+ class { 'openstack2::keystone::hooks': -+ version => $version, -+ } -+} -diff --git a/modules/profile/manifests/openstack/base/keystone/service.pp b/modules/profile/manifests/openstack/base/keystone/service.pp -new file mode 100644 -index 0000000..4c84790 ---- /dev/null -+++ b/modules/profile/manifests/openstack/base/keystone/service.pp -@@ -0,0 +1,56 @@ -+class profile::openstack::base::keystone::service( -+ $version = hiera('profile::openstack::base::version'), -+ $nova_controller = hiera('profile::openstack::base::nova_controller'), -+ $osm_host = hiera('profile::openstack::base::osm_host'), -+ $db_name = hiera('profile::openstack::base::keystone::db_name'), -+ $db_user = hiera('profile::openstack::base::keystone::db_user'), -+ $db_pass = hiera('profile::openstack::base::keystone::db_pass'), -+ $db_host = hiera('profile::openstack::base::keystone::db_host'), -+ $token_driver = hiera('profile::openstack::base::keystone::token_driver'), -+ $ldap_hosts = hiera('profile::openstack::base::ldap_hosts'), -+ $ldap_base_dn = hiera('profile::openstack::base::ldap_base_dn'), -+ $ldap_user_id_attribute = hiera('profile::openstack::base::ldap_user_id_attribute'), -+ $ldap_user_name_attribute = hiera('profile::openstack::base::ldap_user_name_attribute'), -+ $ldap_user_dn = hiera('profile::openstack::base::ldap_user_dn'), -+ $ldap_user_pass = hiera('profile::openstack::base::ldap_user_pass'), -+ $auth_protocol = hiera('profile::openstack::base::keystone::auth_protocol'), -+ $auth_port = hiera('profile::openstack::base::keystone::auth_port'), -+ $wiki_status_page_prefix = hiera('profile::openstack::base::keystone::wiki_status_page_prefix'), -+ $wiki_status_consumer_token = hiera('profile::openstack::base::keystone::wiki_status_consumer_token'), -+ $wiki_status_consumer_secret = hiera('profile::openstack::base::keystone::wiki_status_consumer_secret'), -+ $wiki_status_access_token = hiera('profile::openstack::base::keystone::wiki_status_access_token'), -+ $wiki_status_access_secret = hiera('profile::openstack::base::keystone::wiki_status_access_secret'), -+ $wiki_consumer_token = hiera('profile::openstack::base::keystone::wiki_consumer_token'), -+ $wiki_consumer_secret = hiera('profile::openstack::base::keystone::wiki_consumer_secret'), -+ $wiki_access_token = hiera('profile::openstack::base::keystone::wiki_access_token'), -+ $wiki_access_secret = hiera('profile::openstack::base::keystone::wiki_access_secret'), -+ ) { -+ -+ class {'openstack2::keystone::service': -+ version => $version, -+ nova_controller => $nova_controller, -+ osm_host => $osm_host, -+ db_name => $db_name, -+ db_user => $db_user, -+ db_pass => $db_pass, -+ db_host => $db_host, -+ token_driver => $token_driver, -+ ldap_hosts => $ldap_hosts, -+ ldap_base_dn => $ldap_base_dn, -+ ldap_user_id_attribute => $ldap_user_id_attribute, -+ ldap_user_name_attribute => $ldap_user_name_attribute, -+ ldap_user_dn => $ldap_user_dn, -+ ldap_user_pass => $ldap_user_pass, -+ auth_protocol => $auth_protocol, -+ auth_port => $auth_port, -+ wiki_status_page_prefix => $wiki_status_page_prefix, -+ wiki_status_consumer_token => $wiki_status_consumer_token, -+ wiki_status_consumer_secret => $wiki_status_consumer_secret, -+ wiki_status_access_token => $wiki_status_access_token, -+ wiki_status_access_secret => $wiki_status_access_secret, -+ wiki_consumer_token => $wiki_consumer_token, -+ wiki_consumer_secret => $wiki_consumer_secret, -+ wiki_access_token => $wiki_access_token, -+ wiki_access_secret => $wiki_access_secret, -+ } -+} -diff --git a/modules/profile/manifests/openstack/labtest/keystone/service.pp b/modules/profile/manifests/openstack/labtest/keystone/service.pp -new file mode 100644 -index 0000000..7fe2f64 ---- /dev/null -+++ b/modules/profile/manifests/openstack/labtest/keystone/service.pp -@@ -0,0 +1,50 @@ -+class profile::openstack::labtest::keystone::service( -+ $version = hiera('profile::openstack::labtest::version'), -+ $nova_controller = hiera('profile::openstack::labtest::nova_controller'), -+ $osm_host = hiera('profile::openstack::labtest::osm_host'), -+ $db_host = hiera('profile::openstack::labtest::keystone::db_host'), -+ $token_driver = hiera('profile::openstack::labtest::keystone::token_driver'), -+ $db_pass = hiera('profile::openstack::labtest::keystone::db_pass'), -+ $ldap_hosts = hiera('profile::openstack::labtest::ldap_hosts'), -+ $ldap_user_pass = hiera('profile::openstack::labtest::ldap_user_pass'), -+ $wiki_status_consumer_token = hiera('profile::openstack::labtest::keystone::wiki_status_consumer_token'), -+ $wiki_status_consumer_secret = hiera('profile::openstack::labtest::keystone::wiki_status_consumer_secret'), -+ $wiki_status_access_token = hiera('profile::openstack::labtest::keystone::wiki_status_access_token'), -+ $wiki_status_access_secret = hiera('profile::openstack::labtest::keystone::wiki_status_access_secret'), -+ $wiki_consumer_token = hiera('profile::openstack::labtest::keystone::wiki_consumer_token'), -+ $wiki_consumer_secret = hiera('profile::openstack::labtest::keystone::wiki_consumer_secret'), -+ $wiki_access_token = hiera('profile::openstack::labtest::keystone::wiki_access_token'), -+ $wiki_access_secret = hiera('profile::openstack::labtest::keystone::wiki_access_secret'), -+ ) { -+ -+ package {'mysql-server': -+ ensure => 'present', -+ } -+ -+ require profile::openstack::labtest::clientlib -+ class {'profile::openstack::base::keystone::service': -+ version => $version, -+ nova_controller => $nova_controller, -+ osm_host => $osm_host, -+ db_host => $db_host, -+ token_driver => $token_driver, -+ db_pass => $db_pass, -+ ldap_hosts => $ldap_hosts, -+ ldap_user_pass => $ldap_user_pass, -+ wiki_status_consumer_token => $wiki_status_consumer_token, -+ wiki_status_consumer_secret => $wiki_status_consumer_secret, -+ wiki_status_access_token => $wiki_status_access_token, -+ wiki_status_access_secret => $wiki_status_access_secret, -+ wiki_consumer_token => $wiki_consumer_token, -+ wiki_consumer_secret => $wiki_consumer_secret, -+ wiki_access_token => $wiki_access_token, -+ wiki_access_secret => $wiki_access_secret, -+ require => Package['mysql-server'], -+ } -+ -+ class {'profile::openstack::base::keystone::hooks': -+ version => $version, -+ } -+ -+ class {'openstack2::keystone::monitor':} -+} -diff --git a/modules/profile/manifests/openstack/labtest/rabbitmq.pp b/modules/profile/manifests/openstack/labtest/rabbitmq.pp -index 3c161cf..6cabc46 100644 ---- a/modules/profile/manifests/openstack/labtest/rabbitmq.pp -+++ b/modules/profile/manifests/openstack/labtest/rabbitmq.pp -@@ -4,8 +4,8 @@ class profile::openstack::labtest::rabbitmq( - $monitor_password = hiera('profile::openstack::labtest::rabbit_monitor_pass'), - $file_handles = hiera('profile::openstack::labtest::rabbit_file_handles'), - ){ -- require ::profile::openstack::labtest::cloudrepo - -+ require ::profile::openstack::labtest::cloudrepo - class {'::profile::openstack::base::rabbitmq': - nova_controller => $nova_controller, - monitor_user => $monitor_user, -diff --git a/modules/profile/manifests/openstack/labtestn/keystone/service.pp b/modules/profile/manifests/openstack/labtestn/keystone/service.pp -new file mode 100644 -index 0000000..65077bf ---- /dev/null -+++ b/modules/profile/manifests/openstack/labtestn/keystone/service.pp -@@ -0,0 +1,50 @@ -+class profile::openstack::labtestn::keystone::service( -+ $version = hiera('profile::openstack::labtestn::version'), -+ $nova_controller = hiera('profile::openstack::labtestn::nova_controller'), -+ $osm_host = hiera('profile::openstack::labtestn::osm_host'), -+ $db_host = hiera('profile::openstack::labtestn::keystone::db_host'), -+ $token_driver = hiera('profile::openstack::labtestn::keystone::token_driver'), -+ $db_pass = hiera('profile::openstack::labtestn::keystone::db_pass'), -+ $ldap_hosts = hiera('profile::openstack::labtestn::ldap_hosts'), -+ $ldap_user_pass = hiera('profile::openstack::labtestn::ldap_user_pass'), -+ $wiki_status_consumer_token = hiera('profile::openstack::labtestn::keystone::wiki_status_consumer_token'), -+ $wiki_status_consumer_secret = hiera('profile::openstack::labtestn::keystone::wiki_status_consumer_secret'), -+ $wiki_status_access_token = hiera('profile::openstack::labtestn::keystone::wiki_status_access_token'), -+ $wiki_status_access_secret = hiera('profile::openstack::labtestn::keystone::wiki_status_access_secret'), -+ $wiki_consumer_token = hiera('profile::openstack::labtestn::keystone::wiki_consumer_token'), -+ $wiki_consumer_secret = hiera('profile::openstack::labtestn::keystone::wiki_consumer_secret'), -+ $wiki_access_token = hiera('profile::openstack::labtestn::keystone::wiki_access_token'), -+ $wiki_access_secret = hiera('profile::openstack::labtestn::keystone::wiki_access_secret'), -+ ) { -+ -+ package {'mysql-server': -+ ensure => present, -+ } -+ -+ require profile::openstack::labtestn::clientlib -+ class {'profile::openstack::base::keystone::service': -+ version => $version, -+ nova_controller => $nova_controller, -+ osm_host => $osm_host, -+ db_host => $db_host, -+ token_driver => $token_driver, -+ db_pass => $db_pass, -+ ldap_hosts => $ldap_hosts, -+ ldap_user_pass => $ldap_user_pass, -+ wiki_status_consumer_token => $wiki_status_consumer_token, -+ wiki_status_consumer_secret => $wiki_status_consumer_secret, -+ wiki_status_access_token => $wiki_status_access_token, -+ wiki_status_access_secret => $wiki_status_access_secret, -+ wiki_consumer_token => $wiki_consumer_token, -+ wiki_consumer_secret => $wiki_consumer_secret, -+ wiki_access_token => $wiki_access_token, -+ wiki_access_secret => $wiki_access_secret, -+ require => Package['mysql-server'], -+ } -+ -+ class {'profile::openstack::base::keystone::hooks': -+ version => $version, -+ } -+ -+ class {'openstack2::keystone::monitor':} -+} -diff --git a/modules/profile/manifests/openstack/labtestn/rabbitmq.pp b/modules/profile/manifests/openstack/labtestn/rabbitmq.pp -index 7bd4a8a..bbe088c 100644 ---- a/modules/profile/manifests/openstack/labtestn/rabbitmq.pp -+++ b/modules/profile/manifests/openstack/labtestn/rabbitmq.pp -@@ -4,8 +4,8 @@ class profile::openstack::labtestn::rabbitmq( - $monitor_password = hiera('profile::openstack::labtestn::rabbit_monitor_pass'), - $file_handles = hiera('profile::openstack::labtestn::rabbit_file_handles'), - ){ -- require ::profile::openstack::labtestn::cloudrepo - -+ require ::profile::openstack::labtestn::cloudrepo - class {'::profile::openstack::base::rabbitmq': - nova_controller => $nova_controller, - monitor_user => $monitor_user, -diff --git a/modules/profile/manifests/openstack/main/keystone/service.pp b/modules/profile/manifests/openstack/main/keystone/service.pp -new file mode 100644 -index 0000000..9997622 ---- /dev/null -+++ b/modules/profile/manifests/openstack/main/keystone/service.pp -@@ -0,0 +1,55 @@ -+class profile::openstack::main::keystone::service( -+ $version = hiera('profile::openstack::main::version'), -+ $nova_controller = hiera('profile::openstack::main::nova_controller'), -+ $osm_host = hiera('profile::openstack::main::osm_host'), -+ $db_host = hiera('profile::openstack::main::keystone::db_host'), -+ $token_driver = hiera('profile::openstack::main::keystone::token_driver'), -+ $db_pass = hiera('profile::openstack::main::keystone::db_pass'), -+ $db_name = hiera(profile::openstack::base::keystone::db_name), -+ $db_user = hiera(profile::openstack::base::keystone::db_user), -+ $ldap_hosts = hiera('profile::openstack::main::ldap_hosts'), -+ $ldap_user_pass = hiera('profile::openstack::main::ldap_user_pass'), -+ $wiki_status_consumer_token = hiera('profile::openstack::main::keystone::wiki_status_consumer_token'), -+ $wiki_status_consumer_secret = hiera('profile::openstack::main::keystone::wiki_status_consumer_secret'), -+ $wiki_status_access_token = hiera('profile::openstack::main::keystone::wiki_status_access_token'), -+ $wiki_status_access_secret = hiera('profile::openstack::main::keystone::wiki_status_access_secret'), -+ $wiki_consumer_token = hiera('profile::openstack::main::keystone::wiki_consumer_token'), -+ $wiki_consumer_secret = hiera('profile::openstack::main::keystone::wiki_consumer_secret'), -+ $wiki_access_token = hiera('profile::openstack::main::keystone::wiki_access_token'), -+ $wiki_access_secret = hiera('profile::openstack::main::keystone::wiki_access_secret'), -+ ) { -+ -+ require profile::openstack::main::clientlib -+ class {'profile::openstack::base::keystone::service': -+ version => $version, -+ nova_controller => $nova_controller, -+ osm_host => $osm_host, -+ db_host => $db_host, -+ token_driver => $token_driver, -+ db_pass => $db_pass, -+ ldap_hosts => $ldap_hosts, -+ ldap_user_pass => $ldap_user_pass, -+ wiki_status_consumer_token => $wiki_status_consumer_token, -+ wiki_status_consumer_secret => $wiki_status_consumer_secret, -+ wiki_status_access_token => $wiki_status_access_token, -+ wiki_status_access_secret => $wiki_status_access_secret, -+ wiki_consumer_token => $wiki_consumer_token, -+ wiki_consumer_secret => $wiki_consumer_secret, -+ wiki_access_token => $wiki_access_token, -+ wiki_access_secret => $wiki_access_secret, -+ } -+ -+ class {'profile::openstack::base::keystone::hooks': -+ version => $version, -+ } -+ -+ class {'openstack2::keystone::monitor':} -+ -+ class {'openstack2::keystone::cleanup': -+ active => $::fqdn == $nova_controller, -+ db_user => $db_user, -+ db_pass => $db_pass, -+ db_host => $db_host, -+ db_name => $db_name, -+ } -+} -diff --git a/modules/profile/manifests/openstack/main/rabbitmq.pp b/modules/profile/manifests/openstack/main/rabbitmq.pp -index d3ebb9a..173f645 100644 ---- a/modules/profile/manifests/openstack/main/rabbitmq.pp -+++ b/modules/profile/manifests/openstack/main/rabbitmq.pp -@@ -4,8 +4,8 @@ class profile::openstack::main::rabbitmq( - $monitor_password = hiera('profile::openstack::main::rabbit_monitor_pass'), - $file_handles = hiera('profile::openstack::main::rabbit_file_handles'), - ){ -- require ::profile::openstack::main::cloudrepo - -+ require ::profile::openstack::main::cloudrepo - class {'::profile::openstack::base::rabbitmq': - nova_controller => $nova_controller, - monitor_user => $monitor_user, -diff --git a/modules/role/manifests/wmcs/openstack/labtest/control.pp b/modules/role/manifests/wmcs/openstack/labtest/control.pp -index b227a6a..e222364 100644 ---- a/modules/role/manifests/wmcs/openstack/labtest/control.pp -+++ b/modules/role/manifests/wmcs/openstack/labtest/control.pp -@@ -1,6 +1,5 @@ - class role::wmcs::openstack::labtest::control { -- include ::profile::openstack::labtest::cloudrepo -- include ::profile::openstack::labtest::clientlib - include ::profile::openstack::labtest::observerenv - include ::profile::openstack::labtest::rabbitmq -+ include ::profile::openstack::labtest::keystone::service - } -diff --git a/modules/role/manifests/wmcs/openstack/labtestn/control.pp b/modules/role/manifests/wmcs/openstack/labtestn/control.pp -index c85dc28..efcc95e 100644 ---- a/modules/role/manifests/wmcs/openstack/labtestn/control.pp -+++ b/modules/role/manifests/wmcs/openstack/labtestn/control.pp -@@ -1,6 +1,5 @@ - class role::wmcs::openstack::labtestn::control { -- include ::profile::openstack::labtestn::cloudrepo -- include ::profile::openstack::labtestn::clientlib - include ::profile::openstack::labtestn::observerenv - include ::profile::openstack::labtestn::rabbitmq -+ include ::profile::openstack::labtestn::keystone::service - } -diff --git a/modules/role/manifests/wmcs/openstack/main/control.pp b/modules/role/manifests/wmcs/openstack/main/control.pp -index 56da43b..0b39950 100644 ---- a/modules/role/manifests/wmcs/openstack/main/control.pp -+++ b/modules/role/manifests/wmcs/openstack/main/control.pp -@@ -1,6 +1,5 @@ - class role::wmcs::openstack::main::control { -- include ::profile::openstack::main::cloudrepo -- include ::profile::openstack::main::clientlib - include ::profile::openstack::main::observerenv - include ::profile::openstack::main::rabbitmq -+ include ::profile::openstack::main::keystone::service - } --- -1.9.1 - -- To view, visit https://gerrit.wikimedia.org/r/373281 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ia9e4d91805026c4ddb603ef99cceb806a75e18e1 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Faidon Liambotis <[email protected]> _______________________________________________ MediaWiki-commits mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
